refactor(infra): single SAN certificate for all domains

- All HTTPS blocks share one cert path: /etc/letsencrypt/live/bcsdlab.com/
- init-ssl.sh requests one certificate with all domains via --cert-name
- Simplifies renewal (one cert to renew instead of three)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: ImTotem

infra/nginx/bcsd-api.conf

@@ -38,8 +38,8 @@ server {
     listen 443 ssl http2;
     server_name api.bcsdlab.com;
 
-    ssl_certificate /etc/letsencrypt/live/api.bcsdlab.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/api.bcsdlab.com/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/bcsdlab.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/bcsdlab.com/privkey.pem;
 
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_ciphers HIGH:!aNULL:!MD5;
@@ -78,8 +78,8 @@ server {
     listen 443 ssl http2;
     server_name internal.bcsdlab.com stage.bcsdlab.com;
 
-    ssl_certificate /etc/letsencrypt/live/stage.bcsdlab.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/stage.bcsdlab.com/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/bcsdlab.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/bcsdlab.com/privkey.pem;
 
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_ciphers HIGH:!aNULL:!MD5;
@@ -128,8 +128,8 @@ server {
     listen 443 ssl http2;
     server_name n8n.bcsdlab.com;
 
-    ssl_certificate /etc/letsencrypt/live/n8n.bcsdlab.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/n8n.bcsdlab.com/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/bcsdlab.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/bcsdlab.com/privkey.pem;
 
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_ciphers HIGH:!aNULL:!MD5;

infra/scripts/init-ssl.sh

@@ -7,13 +7,15 @@ fi
 
 NGINX_AVAILABLE="/etc/nginx/sites-available/bcsd-api.conf"
 NGINX_ENABLED="/etc/nginx/sites-enabled/bcsd-api.conf"
+CERT_NAME="bcsdlab.com"
 DOMAIN="${DOMAIN:?Set DOMAIN in .env}"
 N8N_DOMAIN="${N8N_DOMAIN}"
 FRONTEND_DOMAIN="${FRONTEND_DOMAIN}"
 
-DOMAINS="$DOMAIN"
-[ -n "$N8N_DOMAIN" ] && DOMAINS="$DOMAINS $N8N_DOMAIN"
-[ -n "$FRONTEND_DOMAIN" ] && DOMAINS="$DOMAINS $FRONTEND_DOMAIN internal.bcsdlab.com"
+DOMAIN_ARGS="-d $DOMAIN"
+SERVER_NAMES="$DOMAIN"
+[ -n "$N8N_DOMAIN" ] && DOMAIN_ARGS="$DOMAIN_ARGS -d $N8N_DOMAIN" && SERVER_NAMES="$SERVER_NAMES $N8N_DOMAIN"
+[ -n "$FRONTEND_DOMAIN" ] && DOMAIN_ARGS="$DOMAIN_ARGS -d $FRONTEND_DOMAIN -d internal.bcsdlab.com" && SERVER_NAMES="$SERVER_NAMES $FRONTEND_DOMAIN internal.bcsdlab.com"
 
 echo "=== Initial SSL Certificate Setup ==="
 
@@ -22,7 +24,7 @@ sudo mkdir -p /var/www/certbot
 cat <<EOF | sudo tee "$NGINX_AVAILABLE" > /dev/null
 server {
     listen 80;
-    server_name $DOMAINS;
+    server_name $SERVER_NAMES;
 
     location /.well-known/acme-challenge/ {
         root /var/www/certbot;
@@ -36,36 +38,16 @@ EOF
 sudo ln -sf "$NGINX_AVAILABLE" "$NGINX_ENABLED"
 sudo nginx -t && sudo nginx -s reload
 
-echo "2. Requesting certificate for $DOMAIN..."
+echo "2. Requesting certificate for: $SERVER_NAMES"
 sudo certbot certonly \
     --webroot \
     -w /var/www/certbot \
-    -d "$DOMAIN" \
+    --cert-name "$CERT_NAME" \
+    $DOMAIN_ARGS \
     --register-unsafely-without-email \
     --agree-tos
 
-if [ -n "$N8N_DOMAIN" ]; then
-    echo "3. Requesting certificate for $N8N_DOMAIN..."
-    sudo certbot certonly \
-        --webroot \
-        -w /var/www/certbot \
-        -d "$N8N_DOMAIN" \
-        --register-unsafely-without-email \
-        --agree-tos
-fi
-
-if [ -n "$FRONTEND_DOMAIN" ]; then
-    echo "4. Requesting certificate for $FRONTEND_DOMAIN (+ internal.bcsdlab.com)..."
-    sudo certbot certonly \
-        --webroot \
-        -w /var/www/certbot \
-        -d "$FRONTEND_DOMAIN" \
-        -d internal.bcsdlab.com \
-        --register-unsafely-without-email \
-        --agree-tos
-fi
-
-echo "5. Installing full nginx config with HTTPS..."
+echo "3. Installing full nginx config with HTTPS..."
 sudo cp infra/nginx/bcsd-api.conf "$NGINX_AVAILABLE"
 sudo nginx -t && sudo nginx -s reload